Abstract: A system is described for preserving integrity of computing devices. A manifest that uniquely identifies files on a computing device is periodically captured from the computing device. The manifest is compared against a reference manifest, which represents an ideal or clean state of the device. If the manifest comparison indicates that there have been changes to the contents of the computing device, the system can determine whether the changes constitute a compromise to the endpoint's integrity. If it is determined that a change constitutes a compromise to the endpoint's integrity, the system can perform certain remedial actions, such as sending a message to an administrator or enforcing a base layer onto the device so that the content of the device is replaced with a clean image.

Abstract: A storage system may assign a different encryption key to each logical storage unit (LSU) of a storage system. For each LSU, the encryption key of the LSU may be shared only with host systems authorized to access data of the LSU. In response to a read request for a data portion received from a host application executing on the host system, encryption metadata for the data portion may be accessed. If it is determined from the encryption metadata that the data portion is encrypted, the data encryption metadata for the data portion may be further analyzed to determine the encryption key for the data portion. The data may be retrieved from the storage system, for example, by performance of a direct read operation. The retrieved data may be decrypted, and the decrypted data may be returned to the requesting application.

Abstract: In an approach for classifying and storing multiple layers of a file system as platform-dependent and platform-independent layers, a processor generates an initial layer of a file system. The initial layer is a platform-dependent base layer. A processor assigns one or more files associated with the initial layer with a first group identification as a first same group in a file registry for a plurality of platforms. A processor generates a new layer based on the initial layer into the file system. A processor, in response to the new layer being platform-independent, marks the new layer as platform-independent in the file registry. A processor pushes the new layer into the file registry for one of the plurality of platforms. A processor distributes one or more corresponding files from the file registry per a client request to access the file system.

Abstract: A method and an apparatus for processing a screen by using a device are provided. The method includes obtaining, at the second device, a display screen displayed on the first device and information related to the display screen according to a screen display request regarding the first device, determining, at the second device, an additional screen based on the display screen on the first device and the information related to the display screen, and displaying the additional screen near the display screen on the first device.

Abstract: A device, system and method for securely executing recursive computations over encrypted data in a homomorphically encrypted (HE) space. For a recursive algorithm with sequentially dependent recursive iterations, executing the recursive algorithm in parallel by computing multiple recursive iterations simultaneously over multiple parallel execution iterations and not in sequential order. Each parallel execution iteration may compute a partial HE solution of multiple sequential recursive iterations comprising a known HE part and leaves empty a placeholder call slot for an unknown HE part. Placeholder call slots remain empty and are filled at delayed times at a later parallel execution iteration from when the known part of the same HE computation is computed. A final HE solution is computed in fewer multiple parallel execution iterations than the number of sequential recursive iterations, thereby accelerating the recursive algorithm in HE space.

Abstract: A method including determining, by the first device for a group, a group access key pair including a group access public key and a group access private key; determining, by the first device, a sharing encryption key based on the group access private key and an assigned public key associated with a second device; encrypting, by the first device, the group access private key based on utilizing the sharing encryption key; determining, by a second device, a sharing decryption key based on the group access public key and an assigned private key associated with the second device; decrypting, by the second device, the group access private key based on utilizing the sharing decryption key; and accessing, by the second device, the group based on utilizing the group access private key. Various other aspects are contemplated.

Abstract: A terminal device includes a processor, a direct stream digital (DSD) audio playback circuit, and a headset jack. The processor is connected to the DSD audio playback circuit, and the DSD audio playback circuit is connected to the headset jack. The processor outputs a DSD audio signal to the DSD audio playback circuit in response to triggering performed by a user. The DSD audio playback circuit is configured to process the DSD audio signal, generate an alert tone based on a current scenario, and superpose the processed DSD audio signal and the alert tone. The headset jack is configured to connect to a headset and play the superposed audio signal and alert tone using the headset.

Abstract: Methods for rotating cryptographic keys to revoke access to encrypted data stored on a remote server. Obtaining a first cryptographic key from a key store. Generating a second cryptographic key at a user device. Obtaining a first chunk of data from an encrypted file stored on the remote server. Decrypting the first chunk of data using the first cryptographic key to provide a decrypted first chunk of data. Re-encrypting the decrypted first chunk of data using the second cryptographic key to provide a re-encrypted first chunk of data. Uploading the re-encrypted first chunk of data to the remote server from non-persistent storage. Repeating the steps until an entire encrypted file has been decrypted and re-encrypted. Combining all the re-encrypted chunks of the encrypted file to provide a reassembled encrypted file that is associated with the second cryptographic key. Updating the remote server with the reassembled encrypted file associated with the second cryptographic key.

Abstract: Various aspects of the disclosure relate to test automation systems with pre-compilers to validate various steps associated with a test script. An artificial intelligence (AI)-based pre-compiler may use natural language processing (NLP) to validate various steps associated with a test script associated with an application. Other aspects of this disclosure relate to automated encryption and mocking of test input data associated with test scripts.

Abstract: An apparatus includes a packet encryption circuit that uses an encryption keys to encrypt each of two or more portions of a data packet. Each portion is encrypted with a different encryption key and includes one or more layers of the data packet. A first portion includes a layer of the data packet with MAC information. The apparatus includes a packet transmitter that transmits, from a source router, an encrypted data packet to an intermediate router between the source router and a destination router. The encrypted data packet includes an encrypted version of the data packet encrypted using the encryption keys. The intermediate router has encryption keys sufficient for a service level agreement of the intermediate router and lacks a portion of the encryption keys. The source and destination routers use a MAC security standard for encryption and decryption of the data packet using the encryption keys.

Abstract: This disclosure describes methods, non-transitory computer readable storage media, and systems that provide secure password sharing across a plurality of users and client devices via a shared folder. For example, in one or more embodiments, the disclosed system retrieves a public key set including public encryption keys for client devices having access to the shared folder. The disclosed system provides the public key set to a client device requesting to share the shared folder. The disclosed system receives an encrypted payload for the shared folder and a shared encryption key that is utilized to encrypt the payload and is encrypted in the shared folder utilizing the public key set. The disclosed system also detects key rotation events and notifies one or more client devices to generate a modified shared encryption key and re-encrypt the payload for storage within the shared folder.

Abstract: An encrypted data storage system includes a storage system that is configured to store encrypted data, and a first client device that is coupled to the storage system. The first client device performs a hash operation on first data to generate a Data Encryption Key (DEK), and uses the DEK to perform a data encryption operation on the first data to generate encrypted first data. The first client device then uses a first Key Encryption Key (KEK) to perform a first key encryption operation on the DEK to generate a first encrypted DEK, associates the first encrypted DEK with the encrypted first data, and transmits the encrypted first data to the storage system for storage.

Abstract: The systems and methods disclosed herein transparently provide data security using a cryptographic file system layer that selectively intercepts and modifies (e.g., by encrypting) data to be stored in a designated directory. The cryptographic file system layer can be used in combination with one or more cryptographic approaches to provide a server-based secure data solution that makes data more secure and accessible, while eliminating the need for multiple perimeter hardware and software technologies.

Abstract: Access to data and resources in a multi-tenant computing system is managed by tagging the data and resources with attributes, as well as by tagging users with attributes. Tenant-specific access policies are configured. When an access request is received from a workload, a policy decision engine processes the attributes that are tagged to the requesting workload (e.g., user, application, etc.) as well as those tagged to the requested data or resource, given a relevant tenant-specific policy. An access decision is provided in response to the access request, and the access decision can be enforced by a tenant-specific enforcement system.

Abstract: Technologies are provided to ensure integrity of erasure coded data that is subject to read and write access from distributed processes. Multiple processes that access erasure coded data can be coordinated in an efficient, scalable and fault-tolerant manner so that integrity of the original data is maintained. The Technologies include a fault-tolerant access coordination protocol that ensures exclusive write access by a client. The coordination protocol achieves scalability by not relying on centralized components, and achieves efficiency and performance by piggy-packing access coordination messages on operations of the underlying erasure coding protocol.

Abstract: A method including determining, by a device, a sharing decryption key based at least in part on an assigned private key associated with the device and a group access public key associated with a group; decrypting, by the device, a group access private key associated with the group by utilizing the sharing decryption key; and decrypting, by the device, encrypted content included in a folder associated with the group based at least in part on utilizing the group access private key associated with the group. Various other aspects are contemplated.

Abstract: A scheme for securely transferring a patient data file to an intended recipient regardless of a transfer mode selected by a sender. Encryption system executing at the sender device is operative to encrypt each plaintext data line of a file, one by one, using a symmetric key and a starting IV that is incremented per each line, resulting in corresponding ciphertext lines added to an encrypted file. A hash is generated based on the encrypted file. An encrypted header containing the symmetric key, starting IV and the hash is generated using a public key of the recipient, which is appended to the encrypted file. The encrypted header and associated encrypted file are transmitted to the recipient in any manner. Upon receipt, the recipient decrypts the encrypted header using a private key to obtain the symmetric key, starting IV and the hash, which are used by the recipient to validate and decrypt the encrypted file on a line-by-line basis.

Abstract: A device obtains previously created data content. The device unmasks and extracts one or more chain of custody blocks stored in association with the data content. The one or more chain of custody blocks includes chain of custody data identifying who, when, where, and, with what hardware and/or software, created or edited the data content. The device analyzes the one or more chain of custody blocks and validates an origination of the data content based on the analysis of the one or more chain of custody blocks.

Abstract: A distributed database encrypts tables using table encryption keys protected by a client master encryption key. The client may revoke authorization to access the client master encryption key. Subsequent to a revocation of authority to access the client master encryption key, the distributed database generates interim snapshots of the table using the table encryption key. Also subsequent to the revocation, the distributed database generates a backup of the table using a backup encryption key protected by the client master encryption key.

Abstract: A system is provided for securing electronic data by aggregation of distributed electronic database entries. The system may comprise two or more data repositories that may be logically and/or physically separated from one another. Incoming data may be split into multiple parts that may be stored in a distributed manner across the two or more data repositories. Each of the parts of the incoming data may be associated with an identifier and/or a sequence number such that the system, upon receiving a user query for such data, may aggregate the individual parts of the data in the correct sequence. In some embodiments, the system may further use an obfuscation algorithm to apply randomized values to the identifiers and/or sequence numbers and track the operations performed in an obfuscation log. In this way, the system may provide a way to securely store and retrieve data to prevent unauthorized access.

Abstract: A method of performing ordered statistics between at least two parties is disclosed which includes identifying a first dataset (xA) by a first node (A), identifying a second dataset (xB) by a second node (B), wherein xB is unknown to A and xA is unknown to B, and wherein A is in communication with B, and wherein A and B are in communication with a server (S), A and B each additively splitting each member of their respective datasets into corresponding shares, sharing the corresponding shares with one another, arranging the corresponding shares according to a mutually agreed predetermined order into corresponding ordered shares, shuffling the ordered shares into shuffled shares, re-splitting the shuffled shares into re-split shuffled shares, and performing an ordered statistical operation on the re-split shuffled shares, wherein the steps of shuffle and re-split is based on additions, subtractions but not multiplication and division.

Abstract: Systems, methods, and media for the automated removal of private information are provided herein. In an example implementation, a method for automatic removal of private information may include: receiving a transcript of communication data; applying a private information rule to the transcript in order to identify private information in the transcript; tagging the identified private information with a tag comprising an identification of the private information; applying a complicate rule to the tagged transcript in order to evaluate a compliance of the transcript with privacy standards; removing the identified private information from the transcript to produce a redacted transaction; and storing the redacted transcript.

Abstract: An apparatus for validating an identity of an individual based on biometrics includes a memory and a processor operatively coupled to a distributed database and the memory. The processor is configured to provide biometric data as an input to a predefined hash function to obtain a first biometric hash value. The processor is configured to obtain, using a first pointer to the distributed database, a signed second biometric hash value. The processor is configured to define a certification of the biometric data in response to verifying that a signature of the signed second biometric hash value is associated with the compute device and verifying that the first biometric hash value corresponds with the second biometric hash value. The processor is configured to digitally sign the certification using a private key associated with the processor to produce a signed biometric certification and store the signed biometric certification in the distributed database.

Abstract: Implementations provide self-consistent, temporary, secure storage of information. An example system includes short-term memory storing a plurality of key records and a cache storing a plurality of data records. The key records and data records are locatable using participant identifiers. Each key record includes a nonce and each data record includes an encrypted portion. The key records are deleted periodically. The system also includes memory storing instructions that cause the system to receive query parameters that include first participant identifiers and to obtain a first nonce. The first nonce is associated with the first participant identifiers in the short-term memory. The instructions also cause the system to obtain data records associated with the first participant identifiers in the cache, to build an encryption key using the nonce and the first participant identifiers, and to decrypt the encrypted portion of the obtained data records using the encryption key.

Abstract: The invention discloses a full-text fuzzy search method for similar-form Chinese characters in a ciphertext domain. The method realises a fuzzy search in the Chinese ciphertext domain based on a symmetric searchable encryption scheme and an inverted index structure, supports a fuzzy search on Chinese characters having similar glyphs in ciphertext status, ensures that searching results are ordered, and supports a multi-keyword logical connection fuzzy search. The present invention uses a distributed search engine Lucene and a Chinese word segmentator IKAnalyzer to perform full-text word segmentation on a document and constructs a plaintext inverted index comprising similar-form Chinese characters by means of the established similar-form character library of 3,755 commonly used Chinese characters.

Abstract: Methods, apparatus, systems and articles of manufacture for detecting malware via analysis of a screen capture are disclosed. An example apparatus includes a process detector to detect execution of a macro-executing process. An image capturer is to, in response to detection of the macro-execution process, capture an image of a user interface of the macro-executing process. A similarity analyzer is to analyze the image to determine an image similarity to a stored image in a repository of malicious macro interfaces. A responder is to perform a responsive action in response to the image similarity meeting or exceeding a similarity threshold.

Abstract: A computer-implemented method is provided for removing access to data, comprising: receiving a request from the user to delete the user data; suspending control of the user data; generating a second database comprising the user data under full control of the user; deleting the user data from the database; and, on request re-integrating the user data into the same database or integrating into a further database. By providing a database under complete control of the user and outside the control of any database manager or service provider, users are given more freedom to decide what to do with their data. They can choose to protect it, or to monetize it themselves by selling it or licensing it. They can also create a plurality of copies, allowing sales to more than one database manager or service provider.

Abstract: A computing device comprising a frontend and a backend is operably coupled to a plurality of storage devices. The backend comprises a plurality of buckets. Each bucket is operable to build a failure-protected stipe that spans two or more of the plurality of the storage devices. The frontend is operable to encrypt data as it enters the plurality of storage devices and decrypt data as it leaves the plurality of storage devices.

Abstract: Methods and systems for mapping a sharable resource using a one-time password are disclosed. An identifier included in a set of provided credentials uniquely associates the one-time password with an executable within a computing environment that hosts the sharable resource. When credentials are received in association with a mapping request, it is determined whether a supplied username corresponds to a user authorized to access the sharable resource and whether a representation of a supplied password received in association with the mapping request matches a representation of the one-time password. Validating the mapping request provides access to the sharable resource.

Abstract: Embodiments of the present specification disclose data processing methods, apparatuses, and devices. A method can include: obtaining data use authorization information sent by a data requester; verifying the data use authorization information; in response to successfully verifying the data use authorization information, sending data authorized to be accessed by the data use authorization information to the data requester, wherein the data is obtained from a trusted institution and is stored in trusted hardware; and storing, on a blockchain associated with a blockchain network, a data sending record for the data.

Abstract: Methods for rotating cryptographic keys to revoke access to encrypted data stored on a remote server. Obtaining a first cryptographic key from a key store. Generating a second cryptographic key at a user device. Obtaining a first chunk of data from an encrypted file stored on the remote server. Decrypting the first chunk of data using the first cryptographic key to provide a decrypted first chunk of data. Re-encrypting the decrypted first chunk of data using the second cryptographic key to provide a re-encrypted first chunk of data. Uploading the re-encrypted first chunk of data to the remote server from non-persistent storage. Repeating the steps until an entire encrypted file has been decrypted and re-encrypted. Combining all the re-encrypted chunks of the encrypted file to provide a reassembled encrypted file that is associated with the second cryptographic key. Updating the remote server with the reassembled encrypted file associated with the second cryptographic key.

Abstract: A system and method of managing object data stored in a heterogeneous cloud environment comprises a separate cloud management system disposed such that the communications path between a user and each cloud to which the user has access is a different communications path than that between the user and the cloud management system or the cloud management system and each of the clouds.

Abstract: In one embodiment, a method includes a method for provisioning private-cloud server nodes by receiving a request to provision a specified number of server nodes for a private cloud, wherein the request is associated with a user, identifying a plurality of server nodes including (a) the specified number of hypervisor server nodes from a first pool that includes prepared hypervisor server nodes, each of which includes a previously-installed hypervisor, and (b) a management server node from a second pool that includes prepared management server nodes, each of which includes a previously-installed hypervisor and one or more previously-installed management components, configuring the identified server nodes to use a network associated with the user, creating a private cloud that includes the identified server nodes, and providing, to the user, permission to access the identified server nodes.

Abstract: In certain embodiments, resource allocation related to records may be facilitated by generating and using modified instances of such records. In some embodiments, a set of records associated with a user may be stored in a memory area, where each such record includes a record identifier. In response to obtaining one or more commands related to a resource transfer from a user device associated with the user, a new set of records associated with the user may be generated such that each record of the new set is (i) a modified instance of a corresponding record of the record set and (ii) includes a record identifier different from the record identifier of the corresponding record. In one use case, the new records and its data may then be utilized to perform operations related to the user commands. In another use case, the new records may replace its older corresponding records.

Abstract: Embodiments disclosed herein relate to cryptology, and more particularly to secure sharing of data objects stored in the at least one cloud device between two user devices using the PRE. Embodiments herein disclose methods and systems for enabling a first user device to subscribe with a key server for uploading encrypted data object to at least one cloud device using the PRE. Embodiments herein disclose methods and systems for allowing the first user device to share the encrypted data object stored in the at least one cloud device with a second user through the key server using the PRE.

Abstract: An example hardware accelerator for a computer system includes a programmable device and further includes kernel logic configured in a programmable fabric of the programmable device, and an intellectual property (IP) checker circuit in the kernel logic. The IP checker circuit is configured to obtain a device identifier (ID) of the programmable device and a signed whitelist, the signed whitelist including a list of device IDs and a signature, verify the signature of the signed whitelist, compare the device ID against the list of device IDs, and selectively assert or deassert an enable of the kernel logic in response to presence or absence, respectively, of the device ID in the list of device IDs and verification of the signature.

Abstract: Disclosed herein are system, method, and computer program product embodiments for generating support user permissions to allow access to a cloud computing platform. In an embodiment, a host system may host a cloud computing platform and may provide access to the cloud computing platform to a tenant system. The tenant system may then facilitate access to the cloud computing platform to users. The tenant system may maintain a list of authorized users separate from the host system. In an embodiment, if the tenant system requests support from the host system to fix a problem, the host system is able to generate access for support users to access the cloud computing platform to troubleshoot the problem. In an embodiment, even though the tenant system maintains a separate list of authorized users, the host system is able to generate support user permissions.

Abstract: A solution for circumventing censorship is disclosed. A first device connects to a first server hosted in a content delivery network (CDN). The CDN routes the first device's connection request to the first server. The first server responds by providing the first device with a configuration file that contains a plurality of second servers for the first device to access. The first device disconnects from the first server and hops between one or more of the plurality of second servers contained in the configuration file. By distributing the configuration file from a first server hosted in a CDN, the first device obfuscates the true endpoint of the connection. Thus, the first device obtains the configuration file without drawing the ire of censors. By hopping from server-to-server, the first device stays one step ahead of censors. Accordingly, a multi-prong approach to staying a step ahead of eavesdroppers, sniffers, and censors is described.

Abstract: Disclosed embodiments relate to systems and methods for injecting verification code into source code files. Techniques include accessing a plurality of elements of source code from a source, identifying a plurality of sequentially ordered executable modules from the plurality of element and generating verification code. The techniques may further include configuring the verification code to verify the integrity of at least one of a plurality of neighboring executable modules and may also include injecting the verification code into one or more of the source code files.

Abstract: A content ingestion system and method allows a single pitch of media content and associated metadata to be provided by a content provider and processed into appropriate packages for different content distribution services or delivery platforms.

Abstract: The present teaching relates to a method, system, and programming for encrypted searching. In a search session, a uniform resource locator (URL) is received, wherein a portion of the URL is encrypted via a first key. A second key associated with the first key is obtained. A determination is made regarding whether a time-related criterion associated with the second key is satisfied. In response to the time-related criterion being satisfied, the portion of the URL is decrypted based on the second key to obtain a keyword, one or more search results are obtained based on the keyword, and a webpage including the one or more search results to be provided to a user is generated.

Abstract: A method may include obtaining input data for an application programming interface (API), and encrypting the input data for the API using a public key of a provider of the API. The method may also include transmitting, to an API management server, an API request that invokes the API, where the API request includes an API call for the API and the encrypted input data. The API request may be in a format such that the API management server is capable of performing API management services based on the API call but unable to decrypt the encrypted input data with the public key.

Abstract: Systems and methods for providing multimodal access to block devices in a distributed storage system are disclosed. In one implementation, a processing device may identify a block device snapshot stored at a block-based repository of a distributed storage system. The block device may also implement an object-based proxy container associated with the block-based repository. The processing device may further provide, to a client of the distributed storage system, access to the object-based proxy container via an object-based gateway of the distributed storage system.

Abstract: A method and system for secure storage of digital data offers enhanced resistance to threat actors (whether insiders or hackers) gaining unauthorised access to extract and manipulate data, and to brute force computational attacks. The method employs double randomised fragmentation of source data into a random number of fragments of random sizes, encryption of each fragment with a separate encryption key, storage of the encrypted fragments and keys and a catalogue of the mappings of locations and fragments to keys all in physically and logically separate locations in a secure storage estate (1). The method may be repeatedly applied to encrypted fragments, keys and catalogue in a cascade fragmentation process to add further levels of security.

Abstract: Some embodiments disclose a method and apparatus for processing data, a computer device and a storage medium. A method can include: acquiring, by a cloud storage system, a series of slices obtained by dividing a to-be-stored file; encrypting, by the cloud storage system, each slice by using a different data key; and storing, by the cloud storage system, an encrypted data ciphertext.

Abstract: A selection system for a database (DB) of items having a hierarchical order is disclosed. The selection system is configured to: provide a user interface (UI) that includes a configuration item (CI) search component, a CI hierarchy display component, and a CI lock display component; cause a plurality of CIs from the DB to be displayed in hierarchical order in the CI hierarchy display component, including an expansion widget for each displayed CI that is in a hierarchical path of a lower level CI wherein each expansion widget when selected causes the next level of CIs in the hierarchy to be displayed, and a CI selection widget for each displayed CI wherein when selected displays a visual indication that the CI associated with the selected CI selection widget has been selected and causes an identifier for the CI associated with the selected CI selection widget to be displayed in the CI lock display component.

Abstract: A method including determining, by a first device, a sharing encryption key based at least in part on a group access private key associated with a group and an assigned public key associated with a second device; encrypting, by the first device, the group access private key associated with the group utilizing the sharing encryption key; and transmitting, by the first device, the encrypted group access private key to enable the second device to access the group. Various other aspects are contemplated.

Abstract: In certain embodiments, resource allocation related to records may be facilitated by generating and using modified instances of such records. In some embodiments, a set of records associated with a user may be stored in a memory area, where each such record includes a record identifier. In response to obtaining one or more commands related to a resource transfer from a user device associated with the user, a new set of records associated with the user may be generated such that each record of the new set is (i) a modified instance of a corresponding record of the record set and (ii) includes a record identifier different from the record identifier of the corresponding record. In one use case, the new records and its data may then be utilized to perform operations related to the user commands. In another use case, the new records may replace its older corresponding records.

Abstract: A relay apparatus, which is connected between an information terminal and at least one peripheral device communicatively connected to the information terminal and supplying information to the information terminal, is recognized as a peripheral device by the information terminal, and recognized as an information terminal by the peripheral device. The relay apparatus comprises authentication means for authenticating a user using the information terminal by operating the peripheral device and control means for controlling relaying of an operation signal of the peripheral device operated by the user to the information terminal, based on an authentication result of the user.

Abstract: The present invention provides a health file access control system and method in an electronic medical cloud. The system comprises: a medical management center unit configured to generate a system public key and a system private key, and generate a private key for corresponding utilizer's attributes according to the system public key, the system private key, and a set of utilizer's attributes; an electronic medical cloud storage unit configured to receive and store a privacy-protected health file ciphertext; and at least one health file user access unit configured to encrypt the health file according to the system public key to obtain the privacy-protected health file ciphertext, and/or generate the set of utilizer's attribute, and decrypt the privacy-protected health file ciphertext according to the system public key and the private key for utilizer's attributes.